# Fork and Merge Hunt Flows

No one knows what is the correct threat hypothesis from the beginning. This makes threat hunting hard, but also makes it exciting---developing the threat hypothesis along the hunting procedure. You may find some part of the hunt correct or useful but the following part is not. You may want to fork hunt flows to verify hypothesis variants or even different threat hypotheses. You may want to merge hunt flows and apply the same following hunt steps onward. Hunt flows to Kestrel is like control-flow to a classic detection/investigation program. In addition, the hunt flow is dynamically composed, updated, and developed to fit the best threat hypothesis.

## What you will learn

0. What is composable hunt flow?
1. How to fork a hunt flow?
2. How to merge two hunt flows?
3. Exercise: identify hunt flow branching

### 0. What is composable hunt flow?

Reuse a hunt flow, cut part of a hunt flow and concatenate it with another, fork a hunt flow, merge hunt flows. These are all operations to compose hunt flow from small hunt flow segments. Visit the Kestrel documentation to learn more about [composable hunt flow](https://kestrel.readthedocs.io/en/latest/language.html#composable-hunt-flow).

### 1. How to fork a hunt flow?

Use a variable in multiple upcoming hunt steps to fork a hunt flow into multple branches:

In [1]:
# the trunk hunt flow
conns = GET network-traffic
        FROM file:///tmp/lab101.json
        WHERE dst_port > 0
        START 2021-04-03T00:00:00Z STOP 2021-04-04T00:00:00Z



VARIABLE,TYPE,#(ENTITIES),#(RECORDS),directory*,file*,ipv4-addr*,ipv6-addr*,mac-addr*,network-traffic*,process*,user-account*,x-ecs-destination*,x-ecs-network*,x-ecs-process*,x-ecs-source*,x-ecs-user*,x-oca-asset*,x-oca-event*
conns,network-traffic,425,504,504,504,1534,926,504,79,504,504,504,504,504,504,504,504,504


In [2]:
# fork a branch to get external IPv4
conns_ext = GET network-traffic
            FROM conns
            WHERE dst_ref.value NOT LIKE '10.%'

ipv4_ext = FIND ipv4-addr ACCEPTED conns_ext

DISP ipv4_ext ATTR value



value
104.97.85.29
104.97.85.50
13.86.101.172
23.199.63.11

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),directory*,file*,ipv4-addr*,ipv6-addr*,mac-addr*,network-traffic*,process*,user-account*,x-ecs-destination*,x-ecs-network*,x-ecs-process*,x-ecs-source*,x-ecs-user*,x-oca-asset*,x-oca-event*
conns_ext,network-traffic,4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
ipv4_ext,ipv4-addr,4,10,514,514,1560,936,514,514,514,514,534,534,534,534,534,534,534


In [3]:
DISP conns



dst_port,src_port,protocols,id,dst_ref.value,dst_ref.id,src_ref.value,src_ref.id
59377,5355,"[""-"",""udp"",""ipv6""]",network-traffic--003a5e2b-bbae-5079-9848-41988874531f,fe80:0:0:0:b4f9:9c50:5bbe:33fc,ipv6-addr--a994d7e8-bd08-50d1-98a6-1c8ccc32eff1,ff02:0:0:0:0:0:1:3,ipv6-addr--c7d064f7-469d-5b99-8432-7543daf1236d
61839,5355,"[""-"",""udp"",""ipv6""]",network-traffic--00bb333d-7476-5016-837c-bfff384aee6b,fe80:0:0:0:ec2a:e0c7:9c75:38e1,ipv6-addr--33f45e21-00f4-530c-8f55-6894890c2815,ff02:0:0:0:0:0:1:3,ipv6-addr--c7d064f7-469d-5b99-8432-7543daf1236d
60484,5355,"[""-"",""udp"",""ipv6""]",network-traffic--02639fdb-c49e-5b7d-a772-4d577c24f699,fe80:0:0:0:c510:f48a:83b0:5813,ipv6-addr--4e1a8cc0-827d-5b82-bc08-92a0dc6f65b0,ff02:0:0:0:0:0:1:3,ipv6-addr--c7d064f7-469d-5b99-8432-7543daf1236d
60928,5355,"[""-"",""udp"",""ipv4""]",network-traffic--02fe5318-b422-588d-b4cd-e8f1b80b5177,10.184.146.75,ipv4-addr--f658fa52-1aa1-5205-9edf-cefba98960b2,224.0.0.252,ipv4-addr--74d49a58-2d10-5205-967a-e1ace85ce39a
61480,5355,"[""-"",""udp"",""ipv6""]",network-traffic--031e6ada-5172-5494-b6b7-d1441d7ec7f5,fe80:0:0:0:b4f9:9c50:5bbe:33fc,ipv6-addr--a994d7e8-bd08-50d1-98a6-1c8ccc32eff1,ff02:0:0:0:0:0:1:3,ipv6-addr--c7d064f7-469d-5b99-8432-7543daf1236d
63262,5355,"[""-"",""udp"",""ipv6""]",network-traffic--036159af-e426-5003-a672-a479d4fc3552,fe80:0:0:0:c510:f48a:83b0:5813,ipv6-addr--4e1a8cc0-827d-5b82-bc08-92a0dc6f65b0,ff02:0:0:0:0:0:1:3,ipv6-addr--c7d064f7-469d-5b99-8432-7543daf1236d
5353,5353,"[""-"",""udp"",""ipv6""]",network-traffic--03c20a76-544a-5df8-b8de-310d569ddcf1,fe80:0:0:0:4f5:f1ff:fe11:ed59,ipv6-addr--9d3fc8f6-67b9-5968-aeaa-c243b6ad8718,ff02:0:0:0:0:0:0:fb,ipv6-addr--c8bd11f6-d187-58f7-a67e-9990deafc98e
61814,5355,"[""-"",""udp"",""ipv6""]",network-traffic--03e39837-5fb8-54de-a1e7-1e12b07e8c00,fe80:0:0:0:c510:f48a:83b0:5813,ipv6-addr--4e1a8cc0-827d-5b82-bc08-92a0dc6f65b0,ff02:0:0:0:0:0:1:3,ipv6-addr--c7d064f7-469d-5b99-8432-7543daf1236d
53413,5355,"[""-"",""udp"",""ipv4""]",network-traffic--0419bc38-9e48-5d00-a735-3c92ad196d85,10.184.146.75,ipv4-addr--f658fa52-1aa1-5205-9edf-cefba98960b2,224.0.0.252,ipv4-addr--74d49a58-2d10-5205-967a-e1ace85ce39a
53,52822,"[""domain"",""udp"",""ipv4""]",network-traffic--0446320c-6ad1-5a1a-86e7-9b0bb4998282,10.0.18.50,ipv4-addr--4faca8c7-e641-5601-ba8f-f0bb83b42429,10.171.5.141,ipv4-addr--acd79385-3cfb-503c-8e70-cd2f236ed371


In [4]:
# fork another branch to find processes associated with the network-traffic
procs = FIND process CREATED conns

proc_parents = FIND process CREATED procs

DISP proc_parents ATTR name



VARIABLE,TYPE,#(ENTITIES),#(RECORDS),directory*,file*,ipv4-addr*,ipv6-addr*,mac-addr*,network-traffic*,process*,user-account*,x-ecs-destination*,x-ecs-network*,x-ecs-process*,x-ecs-source*,x-ecs-user*,x-oca-asset*,x-oca-event*
procs,process,363,505,1019,1020,3100,1863,1019,1018,657,1019,2066,2066,2067,2066,2067,2067,2067
proc_parents,process,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0


In [5]:
# fork a small branch from the second branch to grab the child processes
proc_children = FIND process CREATED BY procs

DISP proc_children ATTR name



name
rdpclip.exe

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),directory*,file*,ipv4-addr*,ipv6-addr*,mac-addr*,network-traffic*,process*,user-account*,x-ecs-destination*,x-ecs-network*,x-ecs-process*,x-ecs-source*,x-ecs-user*,x-oca-asset*,x-oca-event*
proc_children,process,1,1,506,508,1538,928,506,504,507,506,1018,1018,1022,1018,1022,1022,1022


### 2. How to merge two hunt flows?

Just do `varX + varY` to merge variables, a.k.a., the results of hunt flows:

In [6]:
proc_all = procs + proc_children

DISP proc_all ATTR name, pid



name,pid
rdpclip.exe,13624
svchost.exe,1068
svchost.exe,1552
svchost.exe,1632
svchost.exe,1776
svchost.exe,3612

VARIABLE,TYPE,#(ENTITIES),#(RECORDS),directory*,file*,ipv4-addr*,ipv6-addr*,mac-addr*,network-traffic*,process*,user-account*,x-ecs-destination*,x-ecs-network*,x-ecs-process*,x-ecs-source*,x-ecs-user*,x-oca-asset*,x-oca-event*
proc_all,process,364,506,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0


### 3. Exercise: identify hunt flow branching

Identify branches of hunt flows in **4. Group Entities in a Variable.ipynb**